Extortion used in Express Scripts database breach

After receiving an extortion letter, a health care services company goes public, saying its customer database has been breached.

Robert Vamosi Former Editor

As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

See full bio

Robert Vamosi

Nov. 6, 2008 4:37 p.m. PT

2 min read

The customer database of Express Scripts, a company used by employer health care services to provide prescription medicine by mail, has been breached. In a twist, the company said it learned of the breach in "a letter from an unknown person or persons trying to extort money from the company."

The company posted details on its Web site Thursday. The letter, received in October, threatened to reveal millions of customer records--including Social Security numbers, addresses, dates of birth, and in some cases, prescription information--on the Internet if the extortion demands were not paid. The company did not disclose what those demands were.

Graham Cluley, of security software maker Sophos, told CNET News that Express Scripts did things right. "It appears they have not paid up." He noted that's important with data theft because the criminals have the data in their possession and can keep going back to the company to get more and more money. Second, Express Scripts went to the FBI and decided to go public about the breach.

"We have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls," Express Scripts said on its site.

Cluley said: "I think it's going to be old-fashioned police work that gets to the bottom of this." For example, it's possible the sender of the extortion request and the attacker used the same servers.

Usually extortion is used in connection with denial-of-service of attacks, when the criminals have nothing of value except the sheer volume of data to spew at a targeted site. A letter is sent asking for money in exchange for ending that attack.

This however is an old-school data theft. The criminals presumably have millions of customer details that can be sold on the Internet. But Cluley notes that "people's identities sell for a relatively small amount, and if you go to an auction site on the Web and try to barter on that, you might not get that much as you might potentially get by embarrassing a company."

A few weeks ago, Sophos noted a similar data breach/extortion attempt at a North American Maserati dealership. Still, Cluley said he does not think this was the beginning of a trend.

Cluley said the thieves in this case might not be connected with the established "carder" world, where personal identities are bought and sold online. "Maybe this is an accidental data leakage, something they stumbled across, maybe they're not part of the criminal community, and they're just taking their chances."

Express Scripts said it will notify affected customers in compliance with state regulations.